The Director Information Security – Governance, Risk, and Compliance (GRC) will lead the IT Governance, Risk, and Compliance teams and oversee the services and processes for establishing effective IT risk management in an academic provider healthcare environment. This role collaborates with executive leadership, clinical and operational teams, and external partners to proactively identify, assess, and manage cybersecurity risks, ensure regulatory compliance, and foster a culture of security awareness throughout the health system. This role will oversee and continuously mature the information security risk management program including assessment of cyber and IT risk management and exceptions, maintenance of a registry of significant IT risks, third-party risk management (TPRM), data governance, disaster recovery and business continuity (DR/BC), cyber insurance and other assessments, coordination of internal and external audits and completion of the associated corrective action plans, security metrics and dashboards, internal phishing simulations and tabletop exercises (TTX), and on-going security awareness education.

KEY RESPONSIBILITIES

Strategic Planning and Financial Oversight

• Lead the strategy development and execution of multiple elements of a comprehensive enterprise-wide Information Security Program aligned with organizational goals and regulatory requirements.
• Design and execute multi-year road maps to transform information security capabilities and collaborate with health system entities to align critical security measures with key business initiatives.
• Drive innovation and lead organizational change initiatives to enhance security posture and operational resilience. Acts as a change agent for new technologies and processes that reduce risk and enhance security within Health IT.
• Develop and manage the information security budget, ensuring optimal allocation of resources to meet strategic objectives.
• Develop and maintain a culture of security that emphasizes the responsibilities of all health system employees to help protect sensitive information, systems, and networks.

Leadership and Operations Management

• Provide visionary leadership to the Information Security team, fostering a culture of accountability, innovation, and continuous improvement.
• Apply deep expertise in cybersecurity operations, regulatory compliance, and risk management to guide enterprise operations and decision-making.
• Directs and manages Information Security Department actions and operations. Leads multiple teams through the prioritization and implementation of service improvement projects.
• Directs the design and implementation of solutions that are secure, scalable, reliable, and cost-effective and aligned with the Information Security mission to reduce risk while enhancing productivity.
• Determine the value and ROI of security projects, and prioritizes scheduling and implementation to ensure the efficient utilization of resources.
• Develop staff as needed to ensure current and future team skills and capabilities are aligned with the planned departmental growth and transformation.

Service Delivery and Stakeholder Management

• Serve as a senior authority and strategic advisor on information security, influencing executive leadership and cross-functional stakeholders.
• Champion effective communication and collaboration across departments to embed security into business processes and technology initiatives.
• Tracks implementations to ensure service and financial targets are met according to agreed timelines.
• Oversees and negotiates service level agreements (SLAs) with internal and external stakeholders.
• Directs relationships with vendors to ensure that vendors meet agreed performance objectives, SLAs, and deliverables in a timely manner and within budget guidelines.
• Interacts with major suppliers, overseeing RFPs, contracts, and service agreements.

Policy Development and Implementation

• Oversees the creation and maintenance of policies, procedures, and guidelines to ensure efficient service operation and protect the organization’s computing infrastructure and data.
• Collaborates with Legal, Privacy, and Compliance teams to ensure compliance with relevant laws, regulations, and policies.
• Advocates for changes in other Health IT departments to ensure compliance with security policies.

ADDITIONAL RESPONSIBILITIES

• Cultivate and mentor high-performing security professionals, building leadership capacity and technical expertise across the team.
• Perform other director-level duties as assigned to support the mission and strategic direction of the organization.
• Apply deep expertise in cybersecurity operations, regulatory compliance, and risk management to guide enterprise operations and decision-making.
• Keep abreast of emerging technologies, risks, and industry trends.
• Assists in the recruitment, hiring, training, and development of Information Security staff, ensuring the team possesses the necessary skills and knowledge to fulfill the department’s mission.

MINIMUM QUALIFICATIONS

Education: Bachelor's degree in information security, computer science, or a related field required. Master's Degree is preferred.

Experience: 10 years of experience in information technology within a related area, with at least five years of progressive responsibility in a technology leadership role managing information security teams, healthcare preferred. Academic healthcare security operations, risk management, or access management preferred.

Strong understanding of information security concepts, protocols, industry best practices and regulatory requirements with knowledge of networking, enterprise applications, cloud computing, and information risk management and compliance frameworks preferred.

Ability to communicate via written and verbal communication in both formal and casual situations.

Demonstrated initiative and success in providing Information Security services, preferably in an academic healthcare setting.

Strong analytical and problem-solving skills.

Ability to work under pressure and handle multiple priorities.

One or more of the following professional certifications or equivalent is required:

• Certified Information System Security Professional (CISSP)
• Certified Information Security Manager (CISM)
• Certified Information Systems Auditor (CISA)
• Global Information Assurance Certifications (SANS/GIAC)
• Offensive Security Certified Professional (OSCP)

PHYSICAL DEMANDS

This is primarily a sedentary job involving extensive use of desktop computers. The job does occasionally require traveling some distance to attend meetings, and programs.

Position Compensation Range: $118,144.00 - $236,288.00 Annual

The University of Virginia is an equal opportunity employer. All interested persons are encouraged to apply, including veterans and individuals with disabilities. Click here to read more about UVA’s commitment to non-discrimination and equal opportunity employment.